Restoring Reflective Code Loading on macOS After API Changes
/ 1 min read
🦠 Restoring Reflective Code Loading on macOS After Apple’s API Changes. The Objective-See Foundation’s Patrick Wardle discusses how Apple’s recent modifications to macOS APIs have effectively disabled reflective code loading, a technique often exploited by malware to execute code directly from memory, bypassing traditional detection methods. While Apple’s changes enforce file-based loading, Wardle presents a straightforward method to restore this capability by leveraging a custom loader based on Apple’s open-source loader code. This approach allows for the execution of in-memory payloads without writing them to disk, maintaining stealth against security tools. The article also hints at upcoming strategies for defenders to counteract these stealthy techniques, emphasizing the ongoing cat-and-mouse game between malware authors and cybersecurity professionals.
